Description

Servlet member fields may allow one user to see another user's data.

Many Servlet developers do not understand that, unless a Servlet implements the SingleThreadModel interface, the Servlet is a singleton; there is only one instance of the Servlet, and that single instance is used and re-used to handle multiple requests that are processed simultaneously by different threads.

A common result of this misunderstanding is that developers use Servlet member fields in such a way that one user may inadvertently see another user's data. In other words, storing user data in Servlet member fields introduces a data access race condition.

Risk Factors

Talk about the factors that make this vulnerability likely or unlikely to actually happen

Discuss the technical impact of a successful exploit of this vulnerability

Consider the likely [business impacts] of a successful attack

Examples

The following Servlet stores the value of a request parameter in a member field and then later echoes the parameter value to the response output stream.

While this code will work perfectly in a single-user environment, if two users access the Servlet at approximately the same time, it is possible for the two request handler threads to interleave in the following way: